From: Joseph Brunner (joe@affirmedsystems.com)
Date: Wed Dec 31 2008 - 00:33:52 ARST
Um, and what version of SHA does Cisco use?
http://www.webpronews.com/topnews/2005/02/21/sha-encryption-algorithm-cracke
d
oh, well on to SHA-2 and TWOFISH then huh?
-Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Bogdan Sass
Sent: Tuesday, December 30, 2008 3:51 PM
To: ccie forum
Subject: MD5 is officially dead...
... or at least that is how I interpret this scientific paper:
http://www.win.tue.nl/hashclash/rogue-ca/#sec1
For several years, I have been telling people (mostly students :) )
that "Yes, MD5 has vulnerabilities. Yes, we should move away from MD5.
But no, MD5 has not been cracked yet - not in the sense of <finding
collisions for a chosen text, such as a digital certificate>".
Well, that last step (a real-world attack based on the
vulnerabilities of MD5) has just been performed. The researchers managed
to create a fake certificate that is accepted by a browser as being
signed by a commercial CA. Furthermore, this certificate is an
_intermediate CA cert_ - which means that all certificates generated by
it will also be accepted as valid by web browsers. A very powerful (and
extremely scary) proof of concept!
Sorry if this is slightly OT, but I believe it really is something
that us networkers should be aware of (even if not working specifically
in the security field).
-- Bogdan Sass CCNP,CCSP,JNCIA-ER,CCIE #22221 (RS) Information Systems Security Professional "Curiosity was framed - ignorance killed the cat"Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:10 ARST